Wi-Fi Protected Setup
|This article needs additional citations for verification. (January 2012)|
Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a network security standard that attempts to allow users to easily secure a wireless home network but could fall to brute-force attacks if one or more of the network's access points do not guard against the attack.
Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need.
A major security flaw was revealed in December 2011 that affects wireless routers with the WPS PIN feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS PIN feature, although this may not be possible on some router models.
- PIN Method, in which a personal identification number (PIN) has to be read from either a sticker or the display on the new wireless device. This PIN must then be entered at the "representant" of the network, usually the access point of the network. Alternately, a PIN on the Access Point may be entered into the new device. The PIN Method is the mandatory baseline mode; every Wi-Fi Protected Setup certified product must support it.
- Push-Button-Method, in which the user simply has to push a button, either an actual or virtual one, on both the access point and the new wireless client device. Support of this mode is mandatory for access points and optional for connecting devices.
- Near-Field-Communication Method, in which the user simply has to bring the new client close to the access point to allow a near field communication between the devices. NFC Forum compliant RFID tags can also be used. Support of this mode is optional.
- USB Method, in which the user uses a USB flash drive to transfer data between the new client device and the access point of the network. Support of this mode is optional, but deprecated.
The last two modes are usually referred as out-of-band methods as there is a transfer of information by a channel other than the Wi-Fi channel itself. Only the first two modes are currently covered by the Wi-Fi Protected Setup certification. The USB method has been deprecated and is not part of the Alliance's certification testing.
A few wireless access points have a dual-function Wi-Fi Protected Setup button (of which can also perform a factory reset); pressing this button for too long can initiate a factory reset of the wireless access point.
The WPS protocol defines three types of devices in a network:
- Registrar: A device with the authority to issue and revoke credentials to a network. A registrar may be integrated into a wireless access point (AP), or it may be separate from the AP.
- Enrollee: A device seeking to join a wireless network.
- AP: An AP functioning as a proxy between a registrar and an enrollee.
The WPS standard defines three basic scenarios that involve these components:
- AP with internal registrar capabilities configures an Enrollee Station (STA). In this case, the session will run on the wireless medium as a series of EAP request/response messages, ending with the AP disassociating from the STA and waiting for the STA to reconnect with its new configuration (handed to it by the AP just before).
- Registrar STA configures the AP as an enrollee. This case is subdivided in two aspects: first the session could occur on both a wired or wireless medium, and second the AP could already be configured by the time the registrar found it. In the case of a wired connection between the devices, the protocol runs over Universal Plug and Play (UPnP), and both devices will have to support UPnP for that purpose. When running over UPnP, a shortened version of the protocol is run (only 2 messages) as no authentication is required other than that of the joined wired medium. In the case of a wireless medium, the session of the protocol is very similar to the internal registrar scenario, just with opposite roles. As to the configuration state of the AP, the registrar is expected to ask the user whether to reconfigure the AP or keep its current settings, and can decide to reconfigure it even if the AP describes itself as configured. Multiple registrars should have the ability to connect to the AP. UPnP is intended to apply only to a wired medium, while actually it applies to any interface to which an IP connection can be set up. Thus having manually set up a wireless connection, the UPnP can be used over it in the same manner as with the wired.
- Registrar STA configures enrollee STA. In this case the AP stands in the middle and acts as an authenticator, meaning it only proxies the relevant messages from side to side.
The WPS protocol consists as a series of EAP message exchanges that are triggered by a user action and relies on an exchange of descriptive information that should precede that user's action.
The descriptive information is transferred through a new Information Element (IE) that is added to the beacon, probe response and optionally to the probe request and association request/response messages. Other than purely informative type-length-values, those IEs will also hold the possible, and the currently deployed, configuration methods of the device.
After the identification of the device's capabilities on both ends, user is used to initiate the actual session of the protocol. The session consists of 8 messages that are followed, in the case of a successful session, by a message to indicate the protocol is done. The exact stream of messages may change when configuring different kinds of devices (AP or STA) or using different physical media (wired or wireless).
Inflexibility with respect to band or radio selection
When the pushbutton method is supported by the wireless access point SSID and the wireless client (and its drivers) when selected under Windows Vista onwards, a prompt appears to press the Wi-Fi Protected Setup button which has its standardized symbol, of which allows flexibility and ease of connection with respect to band or radio selection, since a number of dual-band wireless routers only have video optimization options for the 5 GHz band. A number of non-PC devices with dual band wireless network connectivity do not allow the user to select the 2.4 GHz or 5 GHz band (or even a particular radio or SSID) when using Wi-Fi Protected Setup unless the wireless access point has separate Wi-Fi Protected Setup buttons for each band or radio.
Non-standard symbols and names
Some manufacturers of wireless access points which support Wi-Fi Protected Setup use a symbol and/or other than the symbol standardized by the Wi-Fi Alliance. Notable examples are Push ‘N’ Connect from Netgear and QSS (Quick Secure Setup) from TP-Link.
In December 2011, researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks. A successful attack on WPS allows unauthorized parties to gain access to the network. The only effective workaround is to disable WPS.
The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN. The PIN is an eight-digit number used to add new WPA enrollees to the network. Since the last digit is a checksum of the previous digits, there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.
When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered. This is a reduction by three orders of magnitude from the number of PINs that would have to be tested. As a result, an attack can be completed in under four hours (183 minutes to be precise). The ease or difficulty of exploiting this flaw is implementation-dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.
A tool has been developed in order to show that the attack is practical. The firm that released the tool, Tactical Network Solutions in Maryland, says that it has known about the vulnerability since early 2011 and has been using it.
In some devices, disabling WPS in the user interface does not result in the feature actually being disabled. The device remains vulnerable to attack. Firmware updates have been released for some of these devices so that WPS can be disabled completely.
Vendors could patch the vulnerability by adding a lock-down period if the Wi-Fi access point detects a brute-force attack in progress, which disables the PIN method for long enough to make the attack impractical.
Physical security issues
All forms of Wi-Fi Protected setup are vulnerable to usage by an unauthorized user if the wireless access point is not kept in a secure area, and many wireless access points have security information (if factory secured) and the Wi-Fi Protected Setup PIN number printed on them. This PIN number is often found in the configuration menus of the wireless access point and if this PIN number cannot be changed and/or disabled, the only remedy is to get a firmware update to enable the PIN number to be changed or to replace the wireless access point. Intruders who physically find a wireless access point which is factory secured and/or supporting Wi-Fi Protected Setup can use such information printed on the unit to commit unauthorized and/or unlawful activities. It is possible to extract a wireless passphrase with the following methods using no special tools:
- A wireless passphrase can be extracted using Wi-Fi Protected Setup under Windows Vista onwards under administrative privileges by connecting with this method then bringing up the Properties for this wireless network and clicking on “Show characters”.
- A simple exploit in the Intel PROset wireless client utility can reveal the wireless passphrase after connection with Wi-Fi Protected Setup after a simple move of the dialog box which asks if you want to reconfigure this access point.
It is highly recommended that wireless access points which are factory secured and/or supporting Wi-Fi Protected Setup be kept in a physically secure area, preferably under video surveillance.
- Walker-Morgan, Dj (2011-12-29). "Wi-Fi Protected Setup made easier to brute force". The H. Archived from the original on 2 May 2012. Retrieved 2011-12-31.
- Slavin, Brad (January 18, 2013). "Wi-Fi Security – The Rise and Fall of WPS". Netstumbler.com. Retrieved December 17, 2013.
- Tim Higgins (2008-03-13). "How is WPS supposed to work?". Pudai LLC. Retrieved 2012-01-02.
- Viehböck, Stefan (2011-12-26). "Brute forcing Wi-Fi Protected Setup" (PDF). Retrieved 2011-12-30.
- Allar, Jared (2011-12-27). "Vulnerability Note VU#723755 - WiFi Protected Setup PIN brute force vulnerability". Vulnerability Notes Database. US CERT. Retrieved 2011-12-31.
- Gallagher, Sean (2012-01-04). "Hands-on: hacking WiFi Protected Setup with Reaver". Condé Nast Digital. Retrieved 2012-01-20.
- "Windows Connect Now–NET (WCN-NET) Specifications". Microsoft Corporation. 2006-12-08. Retrieved 2011-12-30.
- "reaver-wps". Retrieved 2011-12-30.
- Dennis Fisher (2011-12-29). "Attack Tool Released for WPS PIN Vulnerability". Retrieved 2011-12-31. "This is a capability that we at TNS have been testing, perfecting and using for nearly a year."
- Cherry, Bryce. An Emphasis On Physical Security for Wireless Networks AKA The Dangers Of Wi-Fi Protected Setup http://www.youtube.com/watch?v=kRhyvRAUG6k Retrieved 2014-7-14